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Memorandum of Understanding between the Information 
Commissioner and the Financial Conduct Authority 


Introduction 


1. 


This Memorandum of Understanding (MoU) establishes a framework 
for cooperation, coordination and information sharing between the 
Information Commissioner ("the Commissioner") and the 
Financial Conduct Authority (“the FCA”), collectively referred to as 
"the parties" throughout this document. In particular, it sets out 
the broad principles of collaboration and the legal framework 
governing the sharing of relevant information and intelligence 
between the parties. The shared aims of this MoU are to enable 
closer working between the parties, including the exchange of 
appropriate information, so as to assist them in discharging their 
regulatory functions. 


This MoU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the Commissioner or the 
FCA. The arrangements set out in this MoU are subject to what is 
permitted and required by law. The parties have determined that 
they do not exchange sufficient quantities of personal data to 
warrant entering into a separate data sharing agreement, but this 
will be kept under review. 


The role and function of the Information Commissioner 


Bi 


The Commissioner is a corporation sole appointed by Her Majesty 
the Queen under the General Data Protection Regulation and the 
Data Protection Act 2018 to act as the UK’s independent regulator 
to uphold information rights in the public interest, promote 
openness by public bodies and data privacy for individuals. 


The Commissioner is empowered to take a range of regulatory 
action for breaches of the following legislation: 


e Data Protection Act 2018 (DPA); 
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General Data Protection Regulation (GDPR); 


Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (PECR); 


Freedom of Information Act 2000 (FOIA); 
Environmental Information Regulations 2004 (EIR); 


Environmental Protection Public Sector Information 
Regulations 2009 (INSPIRE Regulations); 


Investigatory Powers Act 2016; 
Re-use of Public Sector Information Regulations 2015; 
Enterprise Act 2002; 


Security of Network and Information Systems Directive (NIS 
Directive); and 


Electronic Identification, Authentication and Trust Services 
Regulation (eIDAS). 


Article 57 of the GDPR and Section 115(2)(a) of the DPA 2018 place 


a broad range of statutory duties on the Commissioner, including 
monitoring and enforcement of the GDPR, promotion of good 
practice and adherence to the data protection obligations by those 
who process personal data. These duties sit alongside those relating 
to the other enforcement regimes outlined in paragraph 4 above. 


The Commissioner’s regulatory and enforcement powers include: 


conducting assessments of compliance with the DPA, GDPR, 
PECR, eIDAS, the NIS Directive, FOIA and EIR; 


issuing information notices requiring individuals, controllers or 
processors to provide information in relation to an 
investigation; 


issuing enforcement notices, warnings, reprimands, practice 
recommendations and other orders requiring specific actions 
by an individual or organisation to resolve breaches (including 
potential breaches) of data protection legislation and other 
information rights obligations; 
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e administering fines by way of penalty notices in the 
circumstances set out in section 152 of the DPA; 


e administering fixed penalties for failing to meet specific 
obligations (such as failing to pay the relevant fee to the 
Commissioner); 


e issuing decision notices detailing the outcome of an 
investigation under FOIA or EIR; 


e certifying contempt of court should an authority fail to comply 
with an information notice, decision notice or enforcement 
notice under FOIA or EIR; and 


e prosecuting criminal offences before the Courts. 


7. Regulation 31 of PECR, as amended by the Privacy and Electronic 
Communications (EC Directive) (Amendment) Regulations 2011, 
also provides the Commissioner with the power to serve 
enforcement notices and issue monetary penalty notices as above 
to organisations who breach PECR. This includes, but is not limited 
to, breaches in the form of unsolicited marketing which falls within 
the ambit of PECR, including automated telephone calls made 
without consent, live telephone calls which have not been screened 
against the Telephone Preference Service, and unsolicited electronic 
messages (Regulations 19, 21 and 22 of PECR respectively). 


Functions and powers of the FCA 


8. The FCA is responsible under the Financial Services and Markets Act 
2000 for making and enforcing rules governing the conduct of firms 
authorised and regulated by the FCA, regulating standards of 
conduct in retail and wholesale markets and for supervising the 
trading infrastructures that support those markets. The FCA is 
responsible for the prudential supervision of firms that are not 
regulated by the Prudential Regulation Authority (PRA) and is also 
responsible for the regulation of primary securities markets, 
including via monitoring market disclosures, reviewing and 
approving prospectuses and operating the UK listing regime. 


9. The FCA has a single strategic objective: to ensure that the relevant 
markets (as defined in section 6 (1F) Financial Services Act 2012) 
function well. Three operational objectives support this strategic 
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10. 


objective: securing an appropriate degree of protection for 
consumers (including wholesale consumers); protecting and 
enhancing the integrity of the financial system; and promoting 
effective competition in the interest of consumers in the markets for 
financial services. 


The FCA does this via oversight and regulation of the UK financial 
markets which includes: 


e authorisation of individuals who carry on regulated activities; 


e amarket-based approach to the supervision of firms in the 
financial services sector; 


e investigation and enforcement activity against firms and 
individuals who are carrying out or purporting to carry out 
regulated activities and financial services (with or without 
authorisation); 


e exercising powers under the Competition Act 1998; and 


e bringing criminal prosecutions, including, in appropriate cases, 
of market abuse, financial crime and serious unauthorised 
business. 


Co-operation between the Commissioner and the FCA 


11. 


12. 


Subject to any legal or procedural restrictions on the disclosure of 
information (whether imposed by statute or otherwise) and at their 
discretion, both parties agree that they will alert each other to any 
potential breaches of the legislation regulated by the Commissioner, 
within the context of this relationship, discovered whilst undertaking 
regulatory duties, and provide relevant and necessary supporting 
information. 


Similarly, although again subject to any legal restrictions on the 
disclosure of information, the Commissioner will, at her discretion, 
alert the FCA to any potential breaches of the legislation regulated 
by the FCA within the context of this relationship and provide 
relevant and necessary supporting information. 
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13. 


14. 


15. 


16. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
both parties will: 


e Communicate regularly to discuss matters of mutual interest 
(this may involve participating in multi-agency groups to 
address common issues and threats); and 


e Consult one another on any issues which might have 
significant implications for the other organisation. 


Both parties will comply with the general laws they are subject to, 
including, but not limited to, local data protection laws; the 
maintenance of any prescribed documentation and policies; and 
comply with any governance requirements in particular relating to 
security and retention, and process personal data in accordance 
with the statutory rights of individuals. 


The FCA and the Commissioner will exchange information on 
relevant issues of interest to the extent permitted by law, and as 
appropriate and relevant to their respective objectives. This may 
include, but is not limited to: 


e information about investigations and notifying the other about 
any relevant action taken against a person or firm by one 
regulator which may be relevant to the functions of the other; 


e information held by either regulator regarding fraud/criminal or 
any other activity that might cast doubt on the fitness and 
propriety of an FCA-authorised firm, certified individuals or an 
approved person; or 


e information or intelligence held by the Commissioner which 
indicates that there may be a failure of an FCA-authorised firm's 
regulated activities (including the implementation or 
effectiveness of its systems and controls). 


The FCA and the Commissioner may request information from each 
other and will include the details of the information sought and why 
it would assist them to carry out their functions. Each may suggest 
a reasonable deadline for response, including an explanation of any 
urgency. 
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17. 


18. 


The FCA and the Commissioner may consult and co-ordinate in 
respect of reviews, calls for evidence and recommendations directed 
towards both parties, where appropriate. In addition, if one 
regulator considers that information it has gathered will be 
materially relevant to the other, it will notify the other to enable the 
other to request disclosure of such information. 


In the case of a major incident of mutual interest at an FCA 
regulated firm, the FCA and Information Commissioner will work 
together in line with agreed incident protocol in order to secure the 
best outcomes for consumers and ensure incidents are dealt with in 
a co-ordinated and efficient manner. 


Purpose of information sharing 


19. 


20. 


The purpose of the MoU is to enable both the Commissioner and the 
FCA to share relevant information which enhances their ability to 
exercise their respective functions. 


This MoU should not be interpreted as imposing a requirement on 
either party to disclose information in circumstances where doing so 
would breach their statutory responsibilities. In particular, each 
party must ensure that any disclosure of personal data pursuant to 
these arrangements fully complies with both the GDPR and the DPA 
2018. The MoU sets out the potential legal basis for information 
sharing, but it is for each party to determine for themselves that 
any proposed disclosure is compliant with the law. 


Legal basis for sharing information 


Information shared by the FCA with the Commissioner 


2i. 


Subject to any disclosure restrictions applicable to the FCA, the FCA 
may disclose confidential information to the Commissioner to 
facilitate the carrying out of a statutory function of the FCA under 
Regulation 3 of The Financial Services and Markets Act 2000 
(Confidential Information) Regulations 2001 (SI 2001/2188) (the 
Disclosure Regulations), or a function of the Commissioner in 
relation to the provision of claims management services under 
Regulation 9 or 12 of the Disclosure Regulations (by virtue of the 
amendment to Schedule 1 of the Disclosure Regulations by Article 
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22. 


23. 


99 of the Financial Services and Markets Act 2000 (Claims 
Management Activity) Order 2018 (“the Order”)). The FCA may also 
disclose confidential information to the Commissioner to facilitate 
the carrying out of a statutory function of the Commissioner. 


The Commissioner's statutory function relates to the legislation set 
out at paragraph 4, and this MoU governs information shared by the 
FCA to assist the Commissioner to meet those responsibilities. To 
the extent that any such shared information is to comprise personal 
data, as defined under the GDPR and DPA 2018, the FCA is a Data 
Controller so must ensure that it has legal basis to share it and that 
doing so would otherwise be compliant with the data protection 
principles. 


Section 131 of the Data Protection Act 2018 may provide a legal 
basis for the FCA to share information with the Commissioner. 
Under this particular provision, the FCA is not prohibited or 
restricted from disclosing information to the Commissioner by any 
other enactment or rule of law provided it is "information necessary 
for the discharge of the Commissioner's functions". 


Information shared by the Commissioner with the FCA 


24. 


25. 


The Commissioner, during the course of her activities, will receive 
information from a range of sources, including personal data. She 
will process all personal data in accordance with the principles of 
the GDPR, the DPA 2018 and all other applicable legislation. The 
Commissioner may identify that information she holds, which may 
include personal data, ought to be shared with the FCA as it would 
assist them in performing their functions and responsibilities. 


Section 132(1) of the DPA 2018 states that information obtained by 
the Commissioner in the course of, or for the purposes of, 
discharging her functions can only be shared with others if there is 
lawful authority to do so. Section 132(2) of the DPA 2018 sets out 
the circumstances in which the Commissioner will have the lawful 
authority to share that personal data with the FCA. In particular, it 
will be lawful in circumstances where: 


e The sharing was necessary for the purpose of the 
Commissioner discharging her functions (section 132(2)(c)); 
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e The sharing was made for the purposes of criminal or civil 
proceedings, however arising (section 132(2)(e)); and 


e The sharing was necessary in the public interest, taking into 
account the rights, freedoms and legitimate interests of any 
person (section 132(2)(f)). 


26. The Commissioner will therefore be permitted to share information 
with the FCA in circumstances where it has determined that it is 
reasonably necessary to do so in furtherance of one of those 
grounds outlined at paragraph 25. In doing so, the Commissioner 
will identify the function of the FCA with which that information may 
assist, and assess whether that function could reasonably be 
achieved without access to the particular information in question. 


27. If information to be disclosed by the Commissioner was received by 
her in the course of discharging her functions as a designated 
enforcer under the Enterprise Act 2002, any disclosure shall be 
made in accordance with the restrictions set out in Part 9 of that 
Act. 


28. Where information is to be disclosed by either party for law 
enforcement purposes under section 35(4) or s5(5) of the DPA 2018 
then they will only do so in accordance with an appropriate policy 
document as outlined by section 42 of the DPA. 


29. Where a request for information is received by either party under 
data protection laws or FOIA, the recipient of the request will seek 
the views of the other party as described in the FOIA section 45 
Code of Practice, where the information being sought under the 
request includes information obtained from, or shared by, the other 
party. However the decision to disclose or withhold the information 
(and therefore any liability arising out of that decision) remains with 
the party in receipt of the request as Data Controller in respect of 
that data. 


Policies, guidance and FCA rule-making 


30. Each regulator will make rules and / or policies in pursuit of their 
separate objectives. The parties will seek to understand and where 
appropriate collaborate and co-ordinate work on their respecting 
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31. 


policies that have a material effect on the other’s objectives. This 
may include, but not be limited to, work on: 


e regulatory policy; 
e industry standards and recommendations; 


e regulatory materials, such as codes of practice, rules and 
guidance; 


e assessments of the landscape and risk analysis to inform 
policy-making; 


e FCA consumer alerts concerning advertising; 
e competition in the financial advertising sector; 
e innovation initiatives; and 


e any other projects that may be identified on an ad hoc basis, 
particularly to aid understanding of how the two regulators 
work together. 


The parties will liaise closely to ensure that their separate 
awareness activities are complementary. Where appropriate, both 
regulators will share communication and publication plans to 
facilitate joined up messages and effective resource planning. 


Investigation and enforcement 


32. 


33. 


The parties recognise that there are areas in which they have 
complementary functions and powers. They will therefore 
endeavour to ensure that in these cases, the most appropriate body 
or bodies will commence and lead investigations. To the extent 
permitted by law and having regard to their respective powers, 
expertise and resources, they will seek to ensure that in cases of 
investigations, the parties will notify each other of significant 
developments where the other is likely to have an interest. Where 
appropriate, the parties will discuss the steps they propose to take 
and ensure co-ordination takes place in a timely manner, where 
possible, allowing for a proper exchange of views. 


The parties may refer a matter for action if the other body is 
considered more appropriate to deal with the matter. Any such 
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34. 


35. 


36. 


37. 


referral will include the action sought and the legal powers it 
considers are available to the other. Where the other party 
determines not to proceed, an explanation will be provided, where 
possible. 


Where the parties agree that an investigation should be carried out 
by both regulators, it will usually be appropriate that both 
investigations proceed in parallel. However, in appropriate 
circumstances, they will consider whether the particular facts of the 
matter, as they are known at that time, suggest that one party’s 
investigation should proceed before the other’s. 


Where either party carries out any subsequent investigation and 
proceedings alone, that party will keep the other regularly updated 
on material aspects of the progress of the investigation. 


If a decision is made by either party to take action against a 
subject, the FCA and the Commissioner should consider whether it 
is possible and would be appropriate to co-ordinate publication of 
applicable enforcement announcements so that both parties publish 
the outcome of their investigations simultaneously. In any event, 
the FCA and the Commissioner will endeavour to give the other 
appropriate notice of any press release or other public statement it 
intends to make relating to enforcement cases in which the other 
may have an interest, no later than 24 hours prior to publication 
unless there are overriding reasons which prevent or delay such 
notice. 


Relevant FCA and the Commissioner's staff will, where appropriate, 
seek to maintain general awareness and understanding of each 
other's functions and needs and will liaise with each other to ensure 
that issues are appropriately identified. 


Confidentiality and data breach reporting 


38. 


39. 


Appropriate security measures shall be agreed to protect 
information transfers in accordance with the sensitivity of the 
information and any classification that is applied by the sender. 


Where confidential material is shared between parties it will be 
marked with the appropriate security classification. 


® 
1CO FINANCIAL 
F; A CONDUCT 
® AUTHORITY 


Information Commissioner's Office 


40. 


41. 


42. 


43. 


44, 


Where one party has received information from the other, it will 
consult with the other party before passing the information to a 
third party or using the information in an enforcement proceeding 
or court case. 


Where confidential material obtained from, or shared by, the 
originating party is wrongfully disclosed by the party holding the 
information, this party will bring this to the attention of the 
originating party without delay. This is in addition to obligations to 
report a personal data breach under the GDPR and/or DPA where 
personal data is contained in the information disclosed. 


In accordance with relevant legislation, the FCA and the 
Commissioner will protect the confidentiality and sensitivity of all 
unpublished regulatory and other confidential information received 
from the other regulator, and maintain effective controls designed 
to minimise the risk of inappropriate disclosures. 


Where one Party has received information from the other, it may 
use the information for purposes set out in requests for information 
or otherwise agreed, but will notify the other before passing the 
information to a third party unless the sending Party has placed 
additional restrictions. 


The FCA and the Commissioner will liaise where relevant, to the 
extent permitted by law and having regard to their respective 
objectives, on responding to enquiries from the public, including 
FOIA requests and will consult each other before releasing 
information originally belonging to the other. 


Duration and review of the MoU 


45. 


46. 


47. 


The Commissioner and the FCA will monitor the operation of this 
MoU and will review it biennially. 


Any minor changes to this memorandum identified between reviews 
may be agreed in writing between the parties. 


Any issues arising in relation to this memorandum will be notified to 
the point of contact for each organisation. 


ico. 


Information Commissioner's Office 


Contact: 
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48. The parties have both identified a key person who is responsible for 
managing this MoU. Those individuals will maintain an open 
dialogue between each other in order to ensure that the MoU 
remains effective and fit for purpose. They will also seek to identify 
any difficulties in the working relationship, and proactively seek to 


minimise the same. 


Signatories 


James Dipple-Johnstone 
Executive Director 
Operations, 


Office 


Information Commissioner’s 


Christopher Woolard 
Executive Director -— Strategy 
& Competition, Financial 
Conduct Authority 


Date: 18/02/2019 


J her 


Date: 18/02/2019 


